To generate a self-signed certificate, you must use the
to generate a private key and a self-signed certificate for that key.
Tealeaf-pca package provides the
openssl utility in the directory
The following steps assume that you logged in to the Passive Capture host machine as user root. To generate a self-signed certificate:
- Generate the private key. The following example generates a 2048-bit RSA key file named
/usr/local/ctccap/bin/openssl genrsa -out example.key 2048
- Generate the self-signed certificate. The following example generates a self-signed
certificate file named
example.crtby using the private-key file
example.keygenerated in step 1. With option
-days 365, the certificate is valid for the next 365 days (one year):
/usr/local/ctccap/bin/openssl req -x509 -days 365 -newkey rsa:2048 -key \ example.key -out example.crt
openssl reqcommand interactively prompts for various values. The following table displays the prompts and sample replies:
Prompt Sample Reply Country Name (2 letter code)
State or Province Name (full name)
Locality Name (for example, city)
Organization Name (for example, company)
Acoustic™ Experience Analytics (Tealeaf)
Organizational Unit Name (for example, section)
Common Name (for example, YOUR name)
The common name must be the fully qualified DNS name of the Passive Capture host machine. If the host machine does not have a DNS name that is assigned to it, then use the IP address of the machine.
- Now, set the appropriate file ownership and permissions:
- All private key files must be readable only by the user account that needs read access
to the file. The following
chowncommands set the ownership and permissions so that only the capture processes running as user
ctccapcan access file
chmod go= example.key chown ctccap example.key
- Place the files in a directory accessible by the user account. For certificate and key
files that are used by the Passive Capture software, place the files in directory
- All private key files must be readable only by the user account that needs read access to the file. The following
Using SHA-2 algorithm to generate the self-signed certificate
By default, the
openssl command uses the SHA-1 algorithm to generate the
self-signed certificate on the PCA.
Optionally, you can use SHA-2 for the digital signature hash by adding the
-sha256 option, as in the following command:
/usr/local/ctccap/bin/openssl req -x509 -sha256 -days 365 -newkey rsa:2048 \ -key example.key -out example.crt
If you are not PCA Build 3500 or later, you can be able to generate the SHA-2 key on another Linux™ system. To determine whether it is possible, run the following command in a non-PCA environment:
openssl dgst ?h
The following line can be displayed in the generated output:
-sha256 to use the sha256 message digest algorithm
If the previous command is displayed, then the Linux installation accepts the SHA-2 option. You can run the following command without providing the PCA-specific path:
openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -key example.key -out \ example.crt
Generating a signed certificate request for an internal certificate authority
If you want to use your own internal certificate authority (CA) to generate a signed certificate, complete the following steps.
The following steps use the
openssl utility as the example utility, although
other utilities can be used.
- Acquire a 2048-bit RSA private key. This key can be self-generated as in the following
example, which uses the default PCA install path to access the PCA openssl command:
/usr/local/ctccap/bin/openssl genrsa -out example.key 2048
- Use the RSA private key to create the signed certificate request (CSR). If the key file
example.key, then the following command generates a CSR file
/usr/local/ctccap/bin/openssl req -config /usr/local/ctccap/ssl/openssl.cnf -new -key example.key -out cert_req.csr
If the previous command generates an error message that references
openssl.cnf, then the PCA installation path to correctly locate the
openssl.cnffile must be configured. In this case, you can apply the
-configoption to define the new, non-default installation path. In the following example, this path is
/opt/tealeaf/bin/openssl req -new -config /opt/tealeaf/ssl/openssl.cnf -key \ example.key -out cert_req.csr
- During generation of the CSR by using either of the previous commands, you are prompted for public certificate values.
- When the CSR file is successfully generated, it can be used by the internal CA to complete the process to create the signed certificate.
- The signed certificate file can now be applied in the same way as a self-signed certificate for PCA use.
Utility scripts for self-signed certificates
Acoustic Experience Analytics (Tealeaf) provides a script to make it easier to create self-signed certificates.
The full path to the script file is
/usr/local/ctccap/sbin/gen-self-signed-cert.sh. Specify the names of the new
private key and certificate files as arguments to
The script creates a 2048-bit RSA key file and a self-signed certificate that is valid for 10
years (3,650 days). The resulting files are owned by user
ctccap, and the private
key is readable only by that user. See the following example.
/usr/local/ctccap/sbin/gen-self-signed-cert.sh example.key example.crt
Several self-signed certificates are created as part of the PCA installation process. If you change the host name of the PCA host server, you can regenerate all of these certificates by using the following command.
env FORCE=YES /usr/local/ctccap/sbin/all-self-signed-certs.sh
The previous command deletes and re-creates the following files:
/usr/local/ctccap/etc/tealeaf-pca.crt /usr/local/ctccap/etc/tealeaf-pca.key /usr/local/ctccap/etc/tealeaf-tts.crt /usr/local/ctccap/etc/tealeaf-tts.key /usr/local/ctccap/etc/tealeaf-tts.pem /usr/local/ctccap/etc/tealeaf-web.crt /usr/local/ctccap/etc/tealeaf-web.key